Can one TLS certificate be used for multiple instances of SQL Server?

Question

Windows 2022, SQL Server 2022, FCI cluster with 2 physical nodes. 5 instances of SQL Server running on the FCI cluster. I need to have TLS certification running on all 5 instances of SQL Server. Can a single TLS certificate (installed on the servers) be used for all 5 instances, or does it require a single certificate for each instance?

Answer 1

You can reuse TLS Certificates across as many servers/instances as required. For example, a single, trusted wildcard certificate shared across your entire enterprise.

additional information:

Each instance has its own registry key setting that specifies the Certificate to use.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL16.INST1\MSSQLServer\SuperSocketNetLib\Certificate
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL16.INST2\MSSQLServer\SuperSocketNetLib\Certificate
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL16.INST3\MSSQLServer\SuperSocketNetLib\Certificate

Set the Certificate value equal to the thumbprint of the certificate you want to use and restart the SQL instance. Although not explicitly mentioned in the documentation, there are no restrictions or limitations on reusing the same thumbprint for multiple instances on the same box. Repeat this process on the each FCI node.

Alternative process is to use SQL Server Configuration Manager to set the certificate for each instance.

https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver16

Answer 2

In your setup, you can use a single TLS certificate for all 5 instances of SQL Server running on your FCI (Failover Cluster Instance) cluster, you can follow the following steps to achieve this:

1. Obtain the TLS certificate from a trusted Certificate Authority (CA) and install it on all 5 cluster nodes.

2. Bind the Certificate to SQL Server Instances using the SQL Server Configuration Manager.

   • Open the manager and expand on SQL Server Network Configuration.

   • Select "Protocols for " for each instance.

   • Right-click "Properties" and go to the "Certificate" tab.

   • Select the installed certificate from the dropdown list.

   • Ensure the certificate thumbprint matches the installed certificate.

   • Apply the settings. For the changes to take effect restart the SQL Server services.

3. Ensure each instance is configured to use the correct certificate. This includes setting the registry keys and enabling the Force Encryption option if needed.

4. Verify that TLS encryption is working using SQL Server Management Studio (SSMS) to connect to each instance and check the encryption status.